The SnapBill permission system runs according to a longest prefix match based URL system that matches the structure within SnapBill. By default all users simply have the / permission enabled. You can enable or disable /client (access to a single client) or /contact/update (ability to update a contact)
The system works by looking for the ALLOW/DENY code on the longest matching prefix of the current URL or required permission. For example if you wanted to disallow access to everything by default, allow access to single clients (but not to update them) - you could use the following rules:
DENY / ALLOW /client DENY /client/update
Allow access to search and view clients, but not to do anything else with them
DENY / ALLOW /clients ALLOW /client DENY /client/*
Allow access to the system as usual, but don't allow anything in the setup or statistics area
ALLOW / DENY /setup DENY /statistics